cybergate | c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d

General

Target

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Size

334KB
MD5

9f2f7476b19162efeb42cac9ef2889e4
SHA1

3956de2ac05f277a0281e4139d1512e7f1530f78
SHA256

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d
SHA512

4c1a10f2883ede1df88d34b60613b27a889df7479179cfca17e2f5fead2a97e87505fba037f21d8d4e023d4ca5b0dce6198ddf1187b4068caaec519f13e193bb
SSDEEP

6144:r/feJ2ORBAdHuSSDpmFA6GCmjTEXxF0PjoreNVF9FnV36H:r/febUOSccV4CP0bMUH9FS

Score

10^/10

cybergate 3 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

3

C2

127.0.0.1:80

whybifi.zapto.org:80

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
rundll
install_file
rundll32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
rundll32
regkey_hklm
rundll

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\rundll\\rundll32.exe"	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\rundll\\rundll32.exe"	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

Executes dropped EXE 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3676 rundll32.exe
1200 rundll32.exe

pid	process
3676	rundll32.exe
1200	rundll32.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{647G2VME-5MVS-6IJ0-L8OI-NUU74O04UH88}	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{647G2VME-5MVS-6IJ0-L8OI-NUU74O04UH88}\StubPath = "C:\\Windows\\system32\\rundll\\rundll32.exe Restart"	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{647G2VME-5MVS-6IJ0-L8OI-NUU74O04UH88}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{647G2VME-5MVS-6IJ0-L8OI-NUU74O04UH88}\StubPath = "C:\\Windows\\system32\\rundll\\rundll32.exe"	explorer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4904-143-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4904-149-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/720-152-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/720-153-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4904-157-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/4904-163-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3960-166-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3960-168-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/720-181-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3960-182-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Windows\\system32\\rundll\\rundll32.exe"	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rundll = "C:\\Windows\\system32\\rundll\\rundll32.exe"	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

Drops file in System32 directory 5 IoCs

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exec25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exerundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll\rundll32.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
File opened for modification	C:\Windows\SysWOW64\rundll\rundll32.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
File opened for modification	C:\Windows\SysWOW64\rundll\rundll32.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
File opened for modification	C:\Windows\SysWOW64\rundll\	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
File opened for modification	C:\Windows\SysWOW64\rundll\rundll32.exe	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exerundll32.exe

description	pid	process	target process
PID 5056 set thread context of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 3676 set thread context of 1200	3676	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4320 1200 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4320	1200	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

pid	process
4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

pid process

3960 c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

pid	process
3960	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

description	pid	process
Token: SeDebugPrivilege	3960	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Token: SeDebugPrivilege	3960	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

pid process

4904 c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exerundll32.exe

pid process

5056 c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
3676 rundll32.exe

pid	process
5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
3676	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exec25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe

description	pid	process	target process
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 5056 wrote to memory of 4904	5056	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE
PID 4904 wrote to memory of 2376	4904	c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
"C:\Users\Admin\AppData\Local\Temp\c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
C:\Users\Admin\AppData\Local\Temp\c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe
"C:\Users\Admin\AppData\Local\Temp\c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d.exe"
4⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\rundll\rundll32.exe
"C:\Windows\system32\rundll\rundll32.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Windows\SysWOW64\rundll\rundll32.exe
C:\Windows\SysWOW64\rundll\rundll32.exe
6⤵
- Executes dropped EXE
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 708
7⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1200 -ip 1200
1⤵
PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
c62724ec75057c2dcdde16175eef1537

SHA1
88e265a1db994a4996764bd89cb220ec7e6ab3fe

SHA256
b8af833f254b5b0426145cb26290f2b6ed6538836601437c9cb6cc70c54bfdfd

SHA512
780090092570a5ac034b69fc7431f8812a283f843e0958a2bb9b2b88f06fec21c20df822ec644901178f5fc5aabcc624ecc87a5a4598f85970a58d09fcebac7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\699c4b9cdebca7aaea5193cae8a50098_9be0bf4d-f8db-4af4-be85-dc38433c9501
Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
C:\Windows\SysWOW64\rundll\rundll32.exe
Filesize
334KB

MD5
9f2f7476b19162efeb42cac9ef2889e4

SHA1
3956de2ac05f277a0281e4139d1512e7f1530f78

SHA256
c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d

SHA512
4c1a10f2883ede1df88d34b60613b27a889df7479179cfca17e2f5fead2a97e87505fba037f21d8d4e023d4ca5b0dce6198ddf1187b4068caaec519f13e193bb

Download Submit
C:\Windows\SysWOW64\rundll\rundll32.exe
Filesize
334KB

MD5
9f2f7476b19162efeb42cac9ef2889e4

SHA1
3956de2ac05f277a0281e4139d1512e7f1530f78

SHA256
c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d

SHA512
4c1a10f2883ede1df88d34b60613b27a889df7479179cfca17e2f5fead2a97e87505fba037f21d8d4e023d4ca5b0dce6198ddf1187b4068caaec519f13e193bb

Download Submit
C:\Windows\SysWOW64\rundll\rundll32.exe
Filesize
334KB

MD5
9f2f7476b19162efeb42cac9ef2889e4

SHA1
3956de2ac05f277a0281e4139d1512e7f1530f78

SHA256
c25ed9b00e6df8695436560307f13e58e1d26d41dbe13670a8a5bf2ede7e637d

SHA512
4c1a10f2883ede1df88d34b60613b27a889df7479179cfca17e2f5fead2a97e87505fba037f21d8d4e023d4ca5b0dce6198ddf1187b4068caaec519f13e193bb

Download Submit
memory/720-152-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/720-181-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/720-147-0x0000000000000000-mapping.dmp

Download
memory/720-153-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1200-174-0x0000000000000000-mapping.dmp

Download
memory/1200-180-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1200-178-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3676-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3676-169-0x0000000000000000-mapping.dmp

Download
memory/3960-166-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3960-182-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3960-168-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3960-161-0x0000000000000000-mapping.dmp

Download
memory/3960-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4904-143-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4904-141-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-167-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-157-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4904-149-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4904-148-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-136-0x0000000000000000-mapping.dmp

Download
memory/4904-163-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4904-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-139-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4904-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5056-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5056-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5056-133-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads